03-25-2009 01:00 PM - edited 02-21-2020 03:22 AM
Using a 2811 ona router with 3 serial interfaces. I configured VPN on interface 0/2/0. The vpn pool is on subnet 172.16.5.0/24. All my servers are on 172.16.1.0/24. If Itry to connect internally between the 2 subnets it works fine. However when I try from a remote location using Cisco VPN client I am unable to get to anything after the VPN connection is established
03-31-2009 11:23 AM
Can you post your configuration? Do you have the proper no nat statements in place?
04-13-2009 04:24 AM
04-13-2009 07:01 AM
I see 2 things that must be changed on your config.
First, you are using a pool that falls within the LAN range, 172.16.5.0/25 (Fa0/0) being a class C /24 subnet covers the pool range and it thinks it has that ip range directly connected via that interface, I would use a different range instead.
Second, you are missing the No Nat statements bypassing the return vpn traffic from being NATed.
Once you have defined a different range for the pool go ahead and make the needed nat changes that should look like this:
ip access-list ext nonat
deny ip 172.16.1.0 0.0.0.255
deny ip 172.16.5.0 0.0.0.255
permit ip 172.16.1.0 0.0.0.255 any
permit ip 172.16.2.0 0.0.0.255 any
permit ip 172.16.3.0 0.0.0.255 any
permit ip 172.16.4.0 0.0.0.255 any
ip nat inside source list nonat pool capturet overload
You would need to figure out your nats the way you need them, however the nat bypass is required for vpn traffic
04-13-2009 10:13 PM
I configured the NAT pool range on 172.16.6.0/24 and created the access list as shown above.
However after I connect VPN my IP config for the VPN client interface is:
IP address..............172.16.6.40
Subnet Mask.............255.255.0.0
Gateway.................172.16.0.1
DNS.....................172.16.1.7
What went wrong?
04-14-2009 06:32 AM
Sorry I don't follow, to what did you make the change? can you post your updated config?
04-14-2009 06:44 AM
04-14-2009 06:49 AM
OK, thanks, you left those lines there:
ip nat inside source list 12 pool capturet overload
ip nat inside source list 13 pool capturevpn overload
These are overriding the nat you define after.
04-14-2009 06:54 AM
I will remove these later on. What are the implications if I remove these lines. Do I have to reconfigure the way I do the NAT?
04-14-2009 07:03 AM
when using vpn yes, you have to reconfigure the way you use nat, as I explained at earlier, vpn clients need to bypass nat, with the standard setup you have you will always nat the reply back from the internal and this is not what you need, at least not for the vpn, implications well you will need to refresh your nat tables (clear then) to be able to remove those, but since you have another nat rule that covers the same set of networks/nat rules it should not cause any major downtime.
04-14-2009 07:06 AM
Thank you I will try it later and see how it works.
04-15-2009 08:15 PM
04-16-2009 05:55 AM
So you get connected, you get an ip address and what are you trying to do after you connect?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: